Skip navigation
Share:|

Latest details from BMC

Last Updated: March 10, 2016 12:40PM CST

 

On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. Of the seven vulnerabilities posted, three are related to the DROWN attack. DROWN exploits weaknesses in SSL version 2 (SSLv2) to enable an attacker to collect and decrypt TLS sessions. A successful attack requires the ability to collect traffic for a server that supports both TLS and SSLv2.

 

Environments that have been configured to disable SSLv2 as well as export grade ciphers are not vulnerable to DROWN. Therefore if you have performed steps to mitigate both the TLS Logjam and POODLE attacks - you are not vulnerable. Additionally, the attack is further deflected by ensuring private certificates are not shared among multiple servers (where one is configured to allow SSLv2 and the other is not).

The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL DROWN vulnerability. Although they might not be vulnerable to the attack (not used for TLS, or SSLv2 disabled), they have patches or remediation advice available.
Products Which Include Affected OpenSSLRemediation / Patches
BMC MainView Console Automation for zEnterpriseMainView Console Management Cumulative SSL Security Patch 2016.03.07 is available for download on BMC Electronic Product Distribution (EPD).
BMC Discovery (previously ADDM)See BMC Discovery blog in communities.

BMC Control-M/Enterprise Manager

BMC Control-M/Server

BMC Control-M/Agent

V8 and V9

V7

  • Use different private key for each server
The products listed in Table 2 below either do not include OpenSSL libraries or are unaffected by the DROWN vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium Orchestrator
BMC Cloud Lifecycle Management
BMC Decision Support for Database Automation

 

BMC Decision Support for Network Automation
BMC MainView for z/OS solutions
BMC IMS for z/OS solutions
(all products and versions)

 

BMC DB2 for z/OS solutions
(all products and versions)
BMC Middleware Automation
BMC TrueSight Middleware Administration

BMC Middleware Management -

Transaction Analytics for WebSphere MQ (StatWatch)

 

BMC Release Process Manager
BMC BladeLogic Client Automation
BMC BladeLogic Portal
BMC AppSight
BMC Identity Management
BMC IT Business Management
BMC Network Automation
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC TrueSight Capacity Optimization prior to v10.5
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL DROWN vulnerability.

Filter Blog

By date:
By tag: